---
title: "NIS2 Identification: Inventories & Risk"
description: "NIS2 Identification controls (ID): asset inventories, risk assessment, and supply chain mapping. How to build a defensible identification framework."
canonical: https://www.aegister.com/en/cms/insights/nis2-identification-id-inventories-risk-assessment/
url: /en/cms/insights/nis2-identification-id-inventories-risk-assessment/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Identification Controls (ID): Inventories, Risk Assessment, and Improvement Cycle

---

![NIS2 Identification Controls (ID): Inventories, Risk Assessment, and Improvement Cycle](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Identification Controls (ID): Inventories, Risk Assessment, and Improvement Cycle

January 31, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[baseline](/en/cms/keyword/baseline/)
+7

The NIS baseline Identification domain (ID) defines how entities maintain visibility over assets, assess cybersecurity risk, plan treatment actions, and run continuous improvement. For compliance execution, ID controls are the bridge between governance decisions and technical control prioritization.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Key takeaways

- Identification controls are not only asset inventory tasks; they include risk evaluation, vulnerability handling, and improvement governance.
- Asset, software, service, and supplier visibility is required to support reliable risk decisions.
- Risk assessments must be documented, periodically updated, and linked to formal treatment plans.
- Improvement plans and updates should be traceable and governance-approved where required.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## ID control model in practice

### 1. Asset management (ID.AM)

Maintain updated inventories for physical assets, software/services, and relevant network/service components used for critical activities.

### 2. Risk assessment (ID.RA)

Identify vulnerabilities, evaluate threats/vulnerabilities/probability/impact, and document risk decisions with periodic reassessment triggers.

### 3. Risk treatment (ID.RA-06)

Define treatment options, priorities, responsibilities, and implementation timelines for each relevant risk scenario.

### 4. Vulnerability process (ID.RA-08)

Establish formal intake, analysis, and response processes for vulnerability disclosures and remediation tracking.

### 5. Improvement cycle (ID.IM)

Use incidents, monitoring outputs, and review results to update plans and improve controls and resilience posture.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Minimum evidence set for ID readiness

| ID area | Practical objective | Typical evidence |
| --- | --- | --- |
| ID.AM | Complete and current visibility of relevant assets/services | Asset inventories, service inventories, update logs |
| ID.RA | Repeatable and documented risk evaluation | Risk assessment report, methodology, approval records |
| ID.RA-06 | Prioritized and owned treatment decisions | Risk treatment plan, owner matrix, deadlines |
| ID.RA-08 | Managed vulnerability intake and remediation | Vulnerability management procedure, remediation records |
| ID.IM | Continuous improvement from lessons learned | Improvement plan, update register, review outputs |

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## 90-day execution checklist

1. Reconcile existing asset inventories and define owners for update cadence.
2. Validate risk-assessment methodology and establish periodic review triggers.
3. Build or refresh the risk-treatment plan with measurable priorities and deadlines.
4. Formalize vulnerability-intake and remediation workflow with clear accountability.
5. Create an ID improvement register linked to incidents, audits, and management reviews.

## FAQ

### Are ID controls limited to maintaining an asset list?

No. The ID domain includes inventories, risk assessment, treatment planning, vulnerability processes, and improvement activities. Source: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

### How often should risk assessment be updated?

The baseline model requires periodic updates and additional updates when incidents, organizational changes, or exposure changes occur. Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

### What is the operational output of ID.RA-06?

A documented treatment plan with selected options, responsible owners, implementation sequencing, and timing. Source: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Article 24 in Practice: How to Implement Cybersecurity Risk-Management Measures](/en/cms/insights/nis2-article-24-risk-management-measures/)
- [NIS2 inventory of relevant systems and assets: practical guide to build an auditable register](/en/cms/insights/nis2-systems-assets-inventory-auditable-register/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Free NIS2 Assessment](/en/assessment/)

## Official sources

- [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

Share this post

## Related News

[![NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 supply-chain security is a governance obligation covering supplier identification, risk assessment, contractual integration, and lifecycle monitoring. Practical guide to GV.SC controls and evidence readiness.](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+9

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[ACN baseline guidance requires documentary evidence as a core compliance element. Practical guide to evidence families, obligation-to-evidence mapping, version governance, and audit-readiness operating model.](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)